istio-external-auth-观察.md

@@ -14,7 +14,39 @@ https://istio.io/latest/blog/2021/better-external-authz/
 remark: well-written
 > ![image](uploads/6039fb1f405c0e04033682c8683ee2f8/image.png)
 
-related file: InstallationYTung/manifests/infra-charts/istio-controller/templates/configmap.yaml
+### related file
+
+#### InstallationYTung/manifests/infra-charts/istio-controller/templates/configmap.yaml
+```yaml
+    {{- if .Values.global.enableExtAuthz }}
+    extensionProviders:
+    - name: "aaa-authz-grpc"
+      envoyExtAuthzGrpc:
+        service: "pch-bff-pipeline.apulis.svc.cluster.local"
+        port: "9000"
+        includeHeadersInCheck: ["Authorization"]
+    {{- end }}
+```
+#### InstallationYTung/manifests/infra-charts/istio-controller/templates/authz-grpc.yaml
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: aaa-grpc
+  namespace: istio-system
+spec:
+  action: CUSTOM
+  provider:
+    # The provider name must match the extension provider defined in the mesh config.
+    name: aaa-authz-grpc
+  rules:
+  - when:
+    - key: request.headers[From]
+      values: ["fronted"]
+    to:
+    - operation:
+        paths: ["/api/v1*"]
+```
 
 
 # further reading